Please read through the instructions before you start (you may want to print this out).
+++++++++++++++++++++++++++++++++++++++++++++++++
Here's the fix:
Important Step
1. Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:
Remote Procedure Call (RPC) Helper
When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps.
2. Reboot into SafeMode. <---MAKE SURE YOU KNOW HOW TO DO THIS!!
3. CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\uqeza.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\uqeza.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\uqeza.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {3C6CC679-D791-5088-7B82-255DDF6E905A} - C:\WINDOWS\msne.dll
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\Run: [netld.exe] C:\WINDOWS\system32\netld.exe
O4 - HKLM\..\RunOnce: [mfcyn.exe] C:\WINDOWS\system32\mfcyn.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ntht.exe (file missing)
4. Delete the following files if present:
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.
C:\WINDOWS\ntht.exe << This file
C:\WINDOWS\system32\mfcyn.exe << This file
C:\WINDOWS\system32\netld.exe << This file
C:\Program Files\Ebates_MoeMoneyMaker << This folder
C:\WINDOWS\msne.dll << This file
C:\WINDOWS\uqeza.dll << This file
5. Run AboutBuster . This will scan your computer for the bad files and delete them. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.
6. Scan with AdAware and let it remove any bad files found.
7. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:
Temporary Files
Temporary Internet Files
Recycle Bin
8. Double click on the cwsserviceremove and when asked to merge say yes.
9. Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.
10. Reboot into normal mode.
11. Download the Hoster from here http://members.aol.c...bee/hoster.zip. Press "Restore Original Hosts" and press "OK". Exit Program.
12. Download and run this online virus scan:
http://housecall.tre.../start_corp.asp
Make sure you check "AutoClean"
then reboot and post a fresh Hijack This log to see how we did.